16 February 2021

Preparing For Pentests Like A Formula One Champ

Nathan Jones

by Nathan Jones Director, Customer Success, Synack

At last year’s Formula One World Drivers’ Championship, Lewis Hamilton made history by becoming the first driver to win seven consecutive titles as part of the Mercedes-AMG Petronas team. I’m a big Hamilton fan as well as a cybersecurity practitioner, and I see lots of lessons for security—and penetration tests, specifically—in his team’s consistent wins.

The primary lesson is that preparation breeds success.

Hamilton and his crew work on their car months before race season even starts, and sometimes years in advance, to deliver the most technically advanced—and fastest—Formula One car. They are also constantly making improvements and adjustments throughout the season. Applying that kind of preparation—and continuous care—when it comes to cybersecurity, specifically when getting ready for a pentest, has tremendous benefits. 

Here are seven key takeaways inspired by Hamilton that can help you achieve consistent cybersecurity wins and make the most of your crowdsourced pentest experience with Synack, the smartest and most trusted testing platform. 

  1. Consider the scope of the test

Hamilton’s team is incredibly focused. They are building a car for a specific task and have to balance speed, endurance and handling.

For penetration tests, it’s vital that you’re just as focused, especially when it comes to the scope of the project. If a particular web asset or application is going to be tested, but a particular URL might be out of scope—maybe it contains a web form you don’t want scanned—this should be highlighted before testing. The penetration tester can adjust the scope of a test during the process, but it’s critical to get as much information prior to the test commencing to avoid surprises. 

Synack’s Crowdsourced Security Testing platform puts you in the driver’s seat from the very beginning. Our platform goes beyond traditional pen testing to give you transparency and control throughout the testing engagement making it easy to define scope up front or modify during testing.

Another area to consider scope is with vulnerability classes. Synack has a default set of low-impact vulnerability classes typically deemed out of scope. But there are occasions when one of these out-of-scope vulnerability classes are deemed important by the client due to local factors, in which case these can be included within the pentest. The client should review and understand these classes up front.

  1. Understand the Rules of Engagement (RoE)

Just like drivers and their pit teams have to understand the rules of the race, penetration testing firms abide by Rules of Engagement, specifying what they should test and how. 

Most penetration testing firms have standard Rules of Engagement that the majority of clients use with no additions or amendments. The standard RoE, for example, specifies that physical or social engineering attacks should not be carried out. However, the client should provide specific guidance that spells out any additional limitations to help focus the testers on the scope of what’s fair game to test. Examples of additional requirements include requiring researchers to use specific text as part of a self-registration process that enables the client to identify them as penetration testers. 

Synack’s Operations team partners with you to define the assessment’s scope and rules of engagement, catered to how your organization sees risk.

  1. Set the criteria of success

While winning a race is an obvious success, the improvement of the driver and the race car’s systems are also successes. Similarly, clients should discuss what defines success for the penetration tester and for their company. For the pen tester, success is often determined by uncovering vulnerabilities or the thoroughness of the test. However, some clients will have particular outcomes in mind, such as compliance-based tests or testing that focuses on a particular area of the application. It’s important to discuss these criteria at the beginning. 

Another factor to consider is the cadence of testing needed for specific assets. For some assets, traditional point-in-time testing is sufficient (2 weeks); however, for assets that are updated often or externally facing, a point-in-time test may fall short. Synack’s continuous security testing can align security with continuous integration/continuous deployment (CI/CD) development practices, shorten and/or eliminate the life of exploitable vulnerabilities, and continually increase systems’ resistance to cyberattack.

As part of this, companies should avoid placing undue constraints on the penetration testers. The key benefit of crowdsourced security pentesting is the diversity and breadth of perspectives, skills, hours and coverage that our researchers provide in a highly controlled manner. Any testing constraints that negatively affect researcher impact—an outage window that minimizes the hours available for researchers to test, for example—should be avoided.

  1. Communicate with your penetration testing firm

Racers are not alone on the track. They are in constant communications with their pit team, giving them exclusive access to actionable information that’ll help them outsmart and outperform the competition. Similarly, communication is a vital part of any successful pentest. When stakeholders have all the relevant information, the process is much smoother and sets everyone up for success. A common communication failure, for example, is when the client forgets to inform the SOC or application owner that a test is happening.

Furthermore, Synack is built to give private and confidential information to clients from the most trusted ethical hackers. There’s no need to open your systems to the entire internet. 

A key part of communication is also ensuring everyone is on board with—and aware of— the Warning Order. This is a key document provided by the penetration testing firm to the client prior to testing. It details the What (test scope), the When (the dates the pentest will take place) and the How (the rules of engagement that must be followed by researchers). It also includes some other extremely useful information such as what to expect during testing.

  1. Consider the mechanics of the penetration test

The best drivers are technical, and the best penetration testing clients are those that understand the process and how it applies to their vulnerability management lifecycle and workflow. The penetration testing firm will usually provide a portal for the client to explore results. Synack’s client portal provides one place for security teams to access information and analytics about their security testing in real time. Vulnerabilities flow through a logical, easy-to-use workflow from discovery to patch. 

Another procedural component is to ensure that pentesters’ source IP are added to the client’s firewall allow list. Researchers need to fully access, test and identify any vulnerabilities that could exist behind firewalls. Not allowing researchers beyond the firewall can have a negative impact on the test and often provide a false sense of security to the client.

  1. Assign a person or team to test support

Efficiently handling issues that crop up during a race can be the difference between placing and losing. That means there’s constant communication. For penetration tests, clients should be ready to support pentesters. Researchers commonly ask questions to clarify scope or request needed credentials to carry out a thorough test. It’s vital for clients to identify who can answer and resolve these questions that will come from key points of contacts within Synack so that we can quickly maximize researcher impact. Communication with security researchers is simple and documented within Synack’s client portal. 

Similarly, clients should be ready to remediate critical vulnerabilities on the fly. Penetration testers often find exploitable vulnerabilities during a test. Setting aside time to fix and remediate vulnerabilities is essential for clients to minimize overall security risks. For clients who manage their vulnerabilities in a third-party tool, the client portal will often provide an API and built-in integrations, like Jira, to communicate the data with the client’s systems. These integrations should be set up prior to the penetration test so you can integrate pen testing results into your team’s existing workflows to remediate vulnerabilities faster.

  1. Get ready to learn something new

Learning something new and incorporating that knowledge is important whether racing or testing the security of systems. If you have questions regarding your test, you should always be able to ask the relevant pentesters. A good client portal, such as Synack’s, facilitates such exchanges of information. 

In addition, clients should develop a testing strategy that includes having a prioritized set of assets. A high-level plan and engagement strategy means you’ll consume tests quickly and benefit from the findings. Pen testers should have a support team to help with planning and prioritization. 

The Synack Operations team is an internal team that eliminates the noise and manages the engagement so you can focus your time on using the testing results to harden your assets.

Finally, security should be part of your culture of development and operations. The crowdsourced pentest is an industry best practice, allowing companies to test their security and gain information on potential attacks. Companies should regularly test their systems, pushing toward a continuous testing cadence. 

After all, regular consistent practice is the common ingredient for all winning teams, whether you’re protecting critical business assets or getting ready for the Austrian Grand Prix. 

Nathan Jones is Director of Client Operations at Synack. He’s also a huge racing fan.